seccomp(short forsecure computing[1]) is acomputer securityfacility in theLinux kernel.seccomp allows aprocessto make a one-way transition into a "secure" state where it cannot make anysystem callsexceptexit(),sigreturn(),read()andwrite()to already-openfile descriptors.Should it attempt any other system calls, the kernel will either just log the event or terminate the process withSIGKILLorSIGSYS.[2][3]In this sense, it does notvirtualizethe system's resources but isolates the process from them entirely.

seccomp
Original author(s)Andrea Arcangeli
Initial releaseMarch 8, 2005;19 years ago(2005-03-08)
Written inC
Operating systemLinux
TypeSandboxing
LicenseGNU General Public License
Websitecode.google.com/archive/p/seccompsandbox/wikis/overview.wiki

seccomp mode is enabled via theprctl(2)system call using thePR_SET_SECCOMPargument, or (since Linux kernel 3.17[4]) via theseccomp(2)system call.[5]seccomp mode used to be enabled by writing to a file,/proc/self/seccomp,but this method was removed in favor ofprctl().[6]In some kernel versions, seccomp disables theRDTSCx86instruction, which returns the number of elapsed processor cycles since power-on, used for high-precision timing.[7]

seccomp-bpfis an extension to seccomp[8]that allows filtering of system calls using a configurable policy implemented usingBerkeley Packet Filterrules. It is used byOpenSSH[9]andvsftpdas well as the GoogleChrome/Chromiumweb browsers onChromeOSand Linux.[10](In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the oldersystrace—which seems to be no longer supported forLinux.)

Some consider seccomp comparable toOpenBSDpledge(2) andFreeBSDcapsicum(4)[citation needed].

History

edit

seccomp was first devised by Andrea Arcangeli in January 2005 for use in publicgrid computingand was originally intended as a means of safely runninguntrustedcompute-bound programs. It was merged into theLinux kernel mainlinein kernel version 2.6.12, which was released on March 8, 2005.[11]

Software using seccomp or seccomp-bpf

edit
  • Androiduses a seccomp-bpf filter in the zygote sinceAndroid 8.0Oreo.[12]
  • systemd'ssandboxingoptions are based on seccomp.[13]
  • QEMU,the Quick Emulator, the core component to the modern virtualization together withKVMuses seccomp on the parameter--sandbox[14]
  • Docker– software that allows applications to run inside of isolated containers. Docker can associate a seccomp profile with the container using the--security-optparameter.
  • Arcangeli's CPUShare was the only known user of seccomp for a while.[15]Writing in February 2009,Linus Torvaldsexpresses doubt whether seccomp is actually used by anyone.[16]However, aGoogleengineer replied that Google is exploring using seccomp forsandboxingitsChromeweb browser.[17][18]
  • Firejailis an open source Linux sandbox program that utilizesLinux namespaces,Seccomp, and other kernel-level security features to sandbox Linux andWineapplications.[19]
  • As of Chrome version 20, seccomp-bpf is used to sandboxAdobe Flash Player.[20]
  • As of Chrome version 23, seccomp-bpf is used to sandbox the renderers.[21]
  • Snapspecify the shape of their application sandbox using "interfaces" which snapd translates to seccomp,AppArmorand other security constructs[22]
  • vsftpduses seccomp-bpf sandboxing as of version 3.0.0.[23]
  • OpenSSHhas supported seccomp-bpf since version 6.0.[9]
  • Mbox usesptracealong with seccomp-bpf to create a secure sandbox with less overhead than ptrace alone.[24]
  • LXD, aUbuntu"hypervisor"for containers[25][26]
  • FirefoxandFirefox OS,which use seccomp-bpf[27][28]
  • Torsupports seccomp since 0.2.5.1-alpha[29]
  • Lepton, aJPEGcompression tool developed byDropboxuses seccomp[30]
  • Kafel is a configuration language, which converts readable policies into seccompb-bpfbytecode[31]
  • Subgraph OSuses seccomp-bpf[32][33]
  • Flatpakuses seccomp forprocess isolation[34]
  • Bubblewrap is a lightweight sandbox application developed fromFlatpak[35]
  • minijail[36]uses seccomp for process isolation[37]
  • SydBox uses seccomp-bpf[38]to improve the runtime and security of the ptrace sandboxing used to sandbox package builds on Exherbo Linux distribution.
  • File, a Unix program to determine filetypes, uses seccomp to restrict its runtime environment[39]
  • Zathura,a minimalistic document viewer, uses seccomp filter to implement different sandbox modes[40]
  • Tracker,a indexing and preview application for the GNOME desktop environment, uses seccomp to prevent automatic exploitation of parsing vulnerabilities in media files[41]

References

edit
  1. ^seccomp(2):"The seccomp() system call operates on the Secure Computing (seccomp) state" –LinuxProgrammer'sManual– System Calls
  2. ^Corbet, Jonathan (2015-09-02)."A seccomp overview".lwn.Retrieved2017-10-05.
  3. ^"Documentation/prctl/seccomp_filter.txt".Retrieved2017-10-05.
  4. ^"Linux kernel 3.17, Section 11. Security".kernelnewbies.org.2013-10-05.Retrieved2015-03-31.
  5. ^"seccomp: add" seccomp "syscall".kernel/git/torvalds/linux.git - Linux kernel source tree.kernel.org.2014-06-25.Retrieved2014-08-22.
  6. ^Arcangeli, Andrea (2007-06-14)."[PATCH 1 of 2] move seccomp from /proc to a prctl".Retrieved2013-08-02.
  7. ^Tinnes, Julien (2009-05-28)."Time-stamp counter disabling oddities in the Linux kernel".cr0 blog.Retrieved2013-08-02.
  8. ^Corbet, Jonathan (2012-01-11)."Yet another new approach to seccomp".lwn.Retrieved2013-08-02.
  9. ^ab"Openssh 6.0 release notes".Retrieved2013-10-14.
  10. ^Tinnes, Julien (2012-11-19)."A safer playground for your Linux and Chrome OS renderers".TheChromiumBlog.Retrieved2013-08-02.
  11. ^"[PATCH] seccomp: secure computing support".Linux kernel history.Kernel.org git repositories. 2005-03-08. Archived fromthe originalon 2013-04-15.Retrieved2013-08-02.
  12. ^"Seccomp filter in Android O".Android Developers Blog.
  13. ^"systemd.exec — Execution environment configuration".freedesktop.org.Retrieved2017-10-14.
  14. ^Otubo, Eduardo (2017-09-15)."QEMU Sandboxing new model pull request".qemu-devel mailing list archive.
  15. ^van de Ven, Arjan (2009-02-28)."Re: [stable] [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole".Linux Kernel Mailing List.Retrieved2013-08-02.
  16. ^Torvalds, Linus (2009-02-28)."Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole".Linux Kernel Mailing List.Retrieved2013-08-02.
  17. ^Gutschke, Markus (2009-05-06)."Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole".Retrieved2013-08-02.
  18. ^Gutschke, Markus (2009-05-06)."Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole".Linux Kernel Mailing List.Retrieved2013-08-02.
  19. ^"Firejail".Firejail.Retrieved2016-11-26.
  20. ^Evans, Chris (2012-07-04)."Chrome 20 on Linux and Flash sandboxing".Retrieved2013-08-02.
  21. ^Tinnes, Julien (2012-09-06)."Introducing Chrome's next-generation Linux sandbox".cr0 blog.Retrieved2013-08-02.
  22. ^"Snap security policy".Archived fromthe originalon 2017-02-04.Retrieved2017-02-03.
  23. ^Evans, Chris (2012-04-09)."vsftpd-3.0.0 and seccomp filter sandboxing is here!".Retrieved2013-08-02.
  24. ^"MBOX".Retrieved2014-05-20.
  25. ^"LXD an" hypervisor "for containers (based on liblxc)".4 November 2014.Retrieved2014-11-08.
  26. ^"Where We're Going With LXD".Retrieved2014-11-08.
  27. ^Destuynder, Guillaume (2012-09-13)."Firefox Seccomp sandbox".Mozilla Bugzilla.Retrieved2015-01-13.
  28. ^Destuynder, Guillaume (2012-09-13)."Firefox Seccomp sandbox".Mozilla Wiki.Retrieved2015-01-13.
  29. ^"Tor ChangeLog".
  30. ^"Lepton image compression: saving 22% losslessly from images at 15MB/s".Dropbox Tech Blog.Retrieved2016-07-15.
  31. ^"Kafel: A language and library for specifying syscall filtering policies".
  32. ^"Subgraph OS".Subgraph.Retrieved2016-12-18.
  33. ^"LoganCIJ16: Future of OS".YouTube.Archivedfrom the original on 2021-12-21.Retrieved2016-12-18.
  34. ^"The flatpak security model – part 1: The basics".Retrieved2017-01-21.
  35. ^"bubblewrap".Retrieved2018-04-14.
  36. ^"Chromium OS Sandboxing - the Chromium Projects".
  37. ^"Minijail [LWN.net]".lwn.net.Retrieved2017-04-11.
  38. ^"core/trace/use_seccomp".dev.exherbo.org.Retrieved2021-05-31.
  39. ^"File application Sandboxing".GitHub.
  40. ^"Zathura seccomp implementation".
  41. ^"Gnome tracker seccomp implementation".
edit